security frameworks robert m. slade, msc, cissp [email protected], [email protected],...
TRANSCRIPT
![Page 1: Security Frameworks Robert M. Slade, MSc, CISSP rmslade@shaw.ca, rslade@vcn.bc.ca, rslade@computercrime.org](https://reader036.vdocument.in/reader036/viewer/2022062417/55154e885503465e608b65db/html5/thumbnails/1.jpg)
Security Frameworks
Robert M. Slade, MSc, [email protected], [email protected],
http://victoria.tc.ca/techrev/rms.htm
![Page 2: Security Frameworks Robert M. Slade, MSc, CISSP rmslade@shaw.ca, rslade@vcn.bc.ca, rslade@computercrime.org](https://reader036.vdocument.in/reader036/viewer/2022062417/55154e885503465e608b65db/html5/thumbnails/2.jpg)
Security frameworks● Guidelines● Principles● Standards● Frameworks/breakdowns/structures● Checklists● Software● “Best Practice”● Audit guidelines/outlines● Legislation● Reporting standards● Product evaluation
![Page 3: Security Frameworks Robert M. Slade, MSc, CISSP rmslade@shaw.ca, rslade@vcn.bc.ca, rslade@computercrime.org](https://reader036.vdocument.in/reader036/viewer/2022062417/55154e885503465e608b65db/html5/thumbnails/3.jpg)
Security frameworks
● Financial reporting instructions Sarbanes-Oxley/Sarbox/SOX, COSO, Turnbull,
Basel II Reliability of reported finances
● Information systems source of reports Internal controls
● Information system controls● Insider attack, fraud?
![Page 4: Security Frameworks Robert M. Slade, MSc, CISSP rmslade@shaw.ca, rslade@vcn.bc.ca, rslade@computercrime.org](https://reader036.vdocument.in/reader036/viewer/2022062417/55154e885503465e608b65db/html5/thumbnails/4.jpg)
Security framework types● Governance
Breakdowns/frameworks● Checklists
Controls lists● Risk management
Infosec, business, and banking Process oriented
● Audit and assurance
![Page 5: Security Frameworks Robert M. Slade, MSc, CISSP rmslade@shaw.ca, rslade@vcn.bc.ca, rslade@computercrime.org](https://reader036.vdocument.in/reader036/viewer/2022062417/55154e885503465e608b65db/html5/thumbnails/5.jpg)
Weaknesses
● Content limitations● Define “Secure”● “Best Practice”
![Page 6: Security Frameworks Robert M. Slade, MSc, CISSP rmslade@shaw.ca, rslade@vcn.bc.ca, rslade@computercrime.org](https://reader036.vdocument.in/reader036/viewer/2022062417/55154e885503465e608b65db/html5/thumbnails/6.jpg)
BS 7799/ISO 27000 family
● BS 7799 Part 1 ISO 17799, ISO 27002 code of practice
● 133 controls, 500+ detailed controls● BS 7799 Part 2
ISO 27001 Information Security Management System (ISMS)
● ISO 27000 ISMS fundamentals and vocabulary, umbrella 27003 ISMS implementation guide, 27004 ISM
metrics, 27005 infosec risk management, 27006 certification agencies, 27007 audit
![Page 7: Security Frameworks Robert M. Slade, MSc, CISSP rmslade@shaw.ca, rslade@vcn.bc.ca, rslade@computercrime.org](https://reader036.vdocument.in/reader036/viewer/2022062417/55154e885503465e608b65db/html5/thumbnails/7.jpg)
COBIT
● ISACA (formerly Information Systems Audit and Control Association)
● Four phases/domains: Planning and Organization Acquisition and Implementation Delivery and Support Monitoring
![Page 8: Security Frameworks Robert M. Slade, MSc, CISSP rmslade@shaw.ca, rslade@vcn.bc.ca, rslade@computercrime.org](https://reader036.vdocument.in/reader036/viewer/2022062417/55154e885503465e608b65db/html5/thumbnails/8.jpg)
Common Criteria (CC)
● Common Criteria for Information Technology Security Evaluation
● ISO 15408 not a security framework not even evaluation standard
● Framework for specification of evaluation Protection Profile (PP) Evaluation Assurance Level (EAL 1-7)
![Page 9: Security Frameworks Robert M. Slade, MSc, CISSP rmslade@shaw.ca, rslade@vcn.bc.ca, rslade@computercrime.org](https://reader036.vdocument.in/reader036/viewer/2022062417/55154e885503465e608b65db/html5/thumbnails/9.jpg)
FISMA
● Federal Information Systems Management Act – US National Information Assurance Certification and
Accreditation Process (NIACAP) National Institute of Standards and Technology outline, Defense Information Technology Systems Certification and
Accreditation Process (DITSCAP) Director of Central Intelligence Directive 6/3
![Page 10: Security Frameworks Robert M. Slade, MSc, CISSP rmslade@shaw.ca, rslade@vcn.bc.ca, rslade@computercrime.org](https://reader036.vdocument.in/reader036/viewer/2022062417/55154e885503465e608b65db/html5/thumbnails/10.jpg)
Information Security Forum (ISF)
● Standard of Good Practice for Information Security● 5 "aspects"
Security Management Critical Business Applications Computer Installations Networks Systems Development
● broken out into 30 "areas," and 135 "sections"● www.securityforum.org● http://www.isfsecuritystandard.com/pdf/standard.pdf
![Page 11: Security Frameworks Robert M. Slade, MSc, CISSP rmslade@shaw.ca, rslade@vcn.bc.ca, rslade@computercrime.org](https://reader036.vdocument.in/reader036/viewer/2022062417/55154e885503465e608b65db/html5/thumbnails/11.jpg)
ITIL● Information Technology Infrastructure Library
management guidelines● Incident response● Problem management● Change management● Release management● Configuration management● Service desk management● Service level management● Availability● Capacity management● Service continuity● IT financials● IT workforce/HR management
security removed in recent revision influenced BS 15000, ISO 20000
![Page 12: Security Frameworks Robert M. Slade, MSc, CISSP rmslade@shaw.ca, rslade@vcn.bc.ca, rslade@computercrime.org](https://reader036.vdocument.in/reader036/viewer/2022062417/55154e885503465e608b65db/html5/thumbnails/12.jpg)
Management frameworks
● Zachman Framework
● Calder-Moir Framework
● Balanced Scorecard
![Page 13: Security Frameworks Robert M. Slade, MSc, CISSP rmslade@shaw.ca, rslade@vcn.bc.ca, rslade@computercrime.org](https://reader036.vdocument.in/reader036/viewer/2022062417/55154e885503465e608b65db/html5/thumbnails/13.jpg)
NIST
● library of freely available resources http://csrc.nist.gov
● Information Security Handbook: A Guide for Managers 800-100● Recommended Security Controls for Federal Info Systems 800-53● Guide to Information Technology Security Services 800-35● Risk Management Guide for Information Technology Systems 800-30● Engineering Principles for Information Technology Security 800-27● Guide for Developing Security Plans for Federal Info Systems 800-18● Generally Accepted Principles and Practices for Securing Information
Technology Systems 800-14● An Introduction to Computer Security: The NIST Handbook 800-12
● Security Self-Assessment Guide for Information Technology Systems 800-26
![Page 14: Security Frameworks Robert M. Slade, MSc, CISSP rmslade@shaw.ca, rslade@vcn.bc.ca, rslade@computercrime.org](https://reader036.vdocument.in/reader036/viewer/2022062417/55154e885503465e608b65db/html5/thumbnails/14.jpg)
OCTAVE
● Operationally Critical Threat, Asset, and Vulnerability Evaluation● Carnegie Mellon University● risk management
![Page 15: Security Frameworks Robert M. Slade, MSc, CISSP rmslade@shaw.ca, rslade@vcn.bc.ca, rslade@computercrime.org](https://reader036.vdocument.in/reader036/viewer/2022062417/55154e885503465e608b65db/html5/thumbnails/15.jpg)
Securities and Financial
● Basel II bank solvency “operational risk”
● COSO Committee of Sponsoring Organizations of the
Treadway Commission, Enterprise Risk Management Integrated Framework
internal controls● SOX
![Page 16: Security Frameworks Robert M. Slade, MSc, CISSP rmslade@shaw.ca, rslade@vcn.bc.ca, rslade@computercrime.org](https://reader036.vdocument.in/reader036/viewer/2022062417/55154e885503465e608b65db/html5/thumbnails/16.jpg)
Security Governance
● part of “CISO Toolkit” (Fred Cohen)● structured according to business concepts, rather
than security topics easier for businesspeople to understand
● checklist in book form 900 checks
![Page 17: Security Frameworks Robert M. Slade, MSc, CISSP rmslade@shaw.ca, rslade@vcn.bc.ca, rslade@computercrime.org](https://reader036.vdocument.in/reader036/viewer/2022062417/55154e885503465e608b65db/html5/thumbnails/17.jpg)
SSE-CMM
● Systems Security Engineering Capability Maturity Model Basic (chaotic/informal) Planned and verified Well defined and coordinated Measurable and quantitatively controlled Constantly improving (optimizing)
![Page 18: Security Frameworks Robert M. Slade, MSc, CISSP rmslade@shaw.ca, rslade@vcn.bc.ca, rslade@computercrime.org](https://reader036.vdocument.in/reader036/viewer/2022062417/55154e885503465e608b65db/html5/thumbnails/18.jpg)
Which one?
● no framework best for all no one-size-fits-all in security
● no framework sole source for any enterprise multiple frameworks, multiple perspectives
● Which one addresses a viewpoint you haven't used?
![Page 19: Security Frameworks Robert M. Slade, MSc, CISSP rmslade@shaw.ca, rslade@vcn.bc.ca, rslade@computercrime.org](https://reader036.vdocument.in/reader036/viewer/2022062417/55154e885503465e608b65db/html5/thumbnails/19.jpg)
Security Frameworks
Robert M. Slade, MSc, [email protected], [email protected],
http://victoria.tc.ca/techrev/rms.htm